Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…
I hate any password requirement that says “special characters” but has a list of exceptions, like no
. , ! ;or empty spaces. Just tell the user to make a passphrase, enforce at least one empty space and, dunno, 25 characters minimum, and bam. It’s not like hackers try brute force anymore, they just hack insecure DBs full of user data and use that everywhere.